POL-01 — Privacy & Confidentiality Policy

Privacy at CONVI is not treated as a compliance obligation. It is treated as a condition of the relationship between provider and participant — fundamental to trust, safety, and professional integrity.

Document reference	POL-01
Version	v1.0
Status	Current — Authoritative
Applies to	All staff, contractors, volunteers, and directors of CONVI
Review cycle	Annual (or upon legislative change)
Next review	May 2027
Policy owner	Director — Alex Attard

1. Legislative Framework

This policy is governed by and implemented in accordance with:

Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs)
NDIS Act 2013 (Cth) and the NDIS (Provider Registration and Practice Standards) Rules 2018
NDIS Practice Standards — Core Module, including requirements for participant privacy and dignity
Disability Act 2006 (Vic)
Relevant mandatory reporting legislation applicable in Victoria

Where these frameworks impose different or additional obligations, CONVI applies the higher standard.

2. What Information CONVI Collects

2.1 Participant Information

CONVI collects personal and sensitive information about participants to deliver safe, appropriate, and compliant support services. This includes:

Full name, date of birth, contact details, and NDIS number
Health, disability, and medical information relevant to support delivery
Emergency contacts and nominee or guardian details
NDIS plan information, goals, and funding categories
Session notes, progress records, and incident reports
Risk assessments and support plans

2.2 Worker Information

CONVI collects personal information about workers for employment and compliance purposes, including:

Identity, contact, and banking details for payroll
Qualifications, credentials, and training records
Working with Children Check and NDIS Worker Screening Check details
Performance and supervision records

3. How Information Is Collected

Information is collected directly from participants (and their nominees or guardians) at intake, through service agreements and intake forms, and from referrers and support coordinators with participant consent. Worker information is collected during the recruitment and onboarding process.

4. Use of Personal Information

CONVI uses personal and sensitive information only for the primary purpose for which it was collected, or for a secondary purpose that is directly related and the individual would reasonably expect. This includes:

Designing and delivering support services aligned to participant goals
Billing, invoicing, and financial administration
Incident management and mandatory reporting
Quality review and continuous improvement
Staff management and supervision
Regulatory compliance and audit response

5. Disclosure of Personal Information

5.1 Permitted Disclosures

CONVI may disclose participant information without additional consent where:

The disclosure is to the NDIA, a plan manager, or a support coordinator acting in the participant's interest
The participant has consented to sharing with a treating professional or other provider
Disclosure is required by law (mandatory reporting, NDIS Commission investigation)
There is a serious and imminent threat to life, health, or safety

5.2 Disclosures Requiring Separate Consent

CONVI will not disclose participant information to family members or carers without the participant's explicit consent (or nominee authorisation), other service providers without a documented referral or information-sharing consent, any commercial or research entity, or media or third parties.

5.3 Worker Information

Worker personal information is shared only for employment purposes (payroll, superannuation, credential verification). CONVI does not disclose worker information to third parties except as required by law.

6. Information Security & Storage

CONVI stores all personal and sensitive information securely using Microsoft Dynamics 365 Business Central and associated Microsoft 365 services, which provide enterprise-grade security, access controls, and audit logging. Physical documents are stored securely and are not left accessible in common areas.

Access to participant information is restricted to authorised CONVI staff on a need-to-know basis. Information is not transmitted via SMS, social media, or unsecured email. CONVI uses Microsoft Teams and encrypted email for communications involving personal data.

7. Records Retention & Disposal

CONVI retains records in accordance with applicable legislation and NDIS requirements:

Participant service records are retained for seven (7) years following the end of the service relationship
Records relating to a child participant are retained until the person turns 25, or for seven years — whichever is later
Worker employment records are retained for seven (7) years following the end of employment

Records are disposed of securely. Physical documents are shredded. Digital records are permanently deleted from all systems including backups where practicable.

8. Access & Correction Rights

Participants and workers have the right to access the personal information CONVI holds about them. Requests for access should be made in writing to the Director at alex@convi.au. CONVI will respond within 30 days. Where information held is inaccurate, incomplete, or out of date, CONVI will correct it promptly on request.

9. Privacy Breaches

A privacy breach occurs when personal information is lost, accessed, disclosed, or used without authorisation. CONVI will respond to any suspected privacy breach by containing the breach, assessing the risk of harm, and notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches scheme.

10. Complaints About Privacy

Any person who believes CONVI has mishandled their personal information may make a complaint to the Director. CONVI will acknowledge the complaint within 5 business days and aim to resolve it within 30 days.

If not resolved to the person's satisfaction, they may escalate to:

Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
NDIS Quality and Safeguards Commission: 1800 035 544
Health Complaints Commissioner (Vic): 1300 582 113

11. Privacy Officer

Alex Attard — Director, CONVI
Email: alex@convi.au
Phone: +61 494 574 786

POL-01 | v1.0 | May 2026 | Convi Pty Ltd (ACN 677 127 703) as Trustee for Attard Family Australia Trust | ABN 60 342 025 267

← Back to policy library